Hello,
I have the the logs coming from our IPS coming in below format:
Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, IngressZone: Default-VRF-location, EgressZone: Prod-location DE: Primary Detection Engine (7eaa2610-2c9a-11e7-a3ec-f9112474357f), Policy: LO-Access-Policy, ConnectType: End, AccessControlRuleName: DefaultVRF to DCLAN, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, InitiatorPackets: 3, ResponderPackets: 2, InitiatorBytes: 234, ResponderBytes: 136, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
If I want to filter the events and pick only below information via a Heavy Forwarder will Splunk allow me to do that?
Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, ConnectType: End, AccessControlRuleAction: Allow, UserName: No Authentication Required
... View more